Solution

Overview

How do I reset the enable password on the ProxySG?I forgot my enable password. How do I reset the enable password.How do I recover from a forgotten enable password?How do I reset the console user password?

Cause

Resolution

In order to reset the enable password on the ProxySG, you will need to have physical access to the ProxySG itself. Depending on the model of the ProxySG, you may have an LCD screen where you can make changes. If you do not have an LCD screen, you will need a null modem cable to make your changes. This document will describe the changes necessary for both methods.

LCD SCREEN METHOD:

To configure the ProxySG using the front panel:

1.) Connect the ProxySG to power and toggle the power switch (on models without power switches, the appliance will power on immediately).2.) When the boot cycle finishes, the LCD displays IP address not configured. Press any button to display configuration options and enter Configure mode (the LCD displays "Setup Mode? Manual").3.) Press the Down button to display the IP address.4.) Press the Enter button to enter Edit mode (cursor changes to a blinking box).5.) Using the right and left buttons, position the cursor over the characters and press the up or down buttons to change them.6.) When finished, press the Enter button to save changes and return to Configure mode.7.) Repeat steps 4 through 6 to specify the subnet mask, gateway address, DNS address, console password, and enable password.8.) When the LCD reads "Console Password: Push to set", press the Enter button to display an auto-generated password. Either write down this password (you can change it later in the Management Console), or press the Enter button again to change it now. You will need this password to log on to the appliance. NOTE: Please write down the password.9.) Optional: Secure the serial console port with a password.

SERIAL PORT METHOD:

You will need a nine (9) pin null modem cable to connect to the serial console on the ProxySG. Make sure the cable is connected to the ProxySG and to your laptop or desktop. Make sure your serial connection has the following settings:

Bits per second (bps): 9600

Data bit: 8

Parity: None

Stop bits: 1

Flow control: None

Emulation: VT100

You can use Hyperterminal, PuTTY, or any other third-party terminal emulation software that can connect via the serial port.

Once connected via the serial port, press the "Enter" key three times to activate the serial console. A menu similar to the following will appear:

Welcome to the SG Appliance Serial Console

Version: SGOS 5.4.2.2, Release id: 41580

------------------------- MENU -----------------------------

1) Command Line Interface2) Setup Console

------------------------------------------------------------

Enter option:

Please select option 2) Setup Console and follow the steps to setup the console. There will be an option to setup the console user and the enable password. That is where you will enter the new password to replace the unknown or forgotten password. Please see the ADDITIONAL INFORMATION section below to see an example of what this will look like. NOTE: The menu may change with SGOS versions. Your screens may differ depending on what version of SGOS you are running.

NOTE: Blue Coat recommends that the ProxySG be located in a secure environment so unauthorized access does not occur. If the ProxySG is not able to be located in a secure location, it is possible to place a password on the serial console so the unauthorized access risk can be mitigated. However, if the serial console password is forgotten, it may be necessary to RMA the ProxySG in order to restore serial console access. So be careful about placing a password on your serial console.

BLUE COAT DIRECTOR METHOD :

Via director, via the Configure tab, Right click on the device and then select "Set passwords"From there you will be able to change the enable password.

With SSH access restored, you can restore the box to factory defaults, and then push the configuration again with Director.

ADDITIONAL INFORMATION:

Here is what the output looks like when running SGOS 5.4.4.1 and you are changing the enable password. You menu may change depending on what version of SGOS you are running. Please note that the section regarding the admin and enable passwords is marked in red below.

--------------------------------------------------------------------- You can get field help by entering a question mark ? in the fields. You can move backwards through the steps by pressing the UP arrow. You can exit the wizard without saving your entries by pressing ESC. ---------------------------------------------------------------------

Step 1: How do you plan to configure this appliance? a) Through a manual setup b) Through a Director-managed setup Your choice: [a] a

Step 2: Which solution would you like to implement? a) Acceleration b) Other solution Your choice: [b] b

Welcome to the SG Appliance Setup Console

---------------------- (page 1 of 4) ---------------------

Press <ESC> at any time to return to the main menu

Setup mode: Manual

DIRECTIONS:

Please enter the IP addresses for the SG Appliance. The following interface will be configured: 1. Bridge passthru-0 (WAN: link, LAN: link)

When the serial port is secured, access via the serial port must be authenticated. A setup password is required to gain access to the Setup Console and administrative credentials are required to access the command line interface.

Do you want to secure the serial port? Y/N [Yes] N

---------------------- (page 3 of 4) ---------------------

Press <ESC> at any time to return to the main menu

DIRECTIONS:

The console username and password are special: they can be used to log in to the CLI or Web Management interface even in circumstances where this is denied by VPM or CPL policy. This makes the console account useful in emergencies, as a way to log in when policy is broken, but it may also create a security hole.

To close the security hole, we recommend that you restrict the use of the console account to specific workstations, identified by their IP address.

This dialog allows you to add one IP address to the list of workstations that are authorized to use the console account. (This same list is also used to restrict which workstations can use SSH with RSA authentication.) Additional workstations may be configured later, from the command line interface or the Web interface.

The console account can currently be used only from authorized workstations.

Would you like to add another authorized workstation? Y/N [No]

---------------------- (page 4 of 4) ---------------------

DIRECTIONS:

The SG Appliance has been successfully configured to use IP address: "xx.xx.xx.xx"

You can connect to the command line interface or Web interface to perform additional management tasks.

To connect to the command line interface, open the following location from your SSH application: xx.xx.xx.xx

To connect to the Web management interface, go to the following location with your web browser: https://xx.xx.xx.xx:8082/